Lawyer Dr. Orlin Radinsky is interviewed about the legal advantages of ISO certifications

(Feb. 2010) - Legal Compliance is not only closely linked with compliance with laws but also with recognized standards and regulations. It is, above all, for warranty and damage claims (keyword: breach of contract) that experts use ISO Standards for assessment. What will be reviewed is whether the defendant company has worked to the state of the art and with the highest possible due diligence. These two items often are decisive for the outcome of court proceedings. In the interview, Lawyer Dr. Orlin Radinsky from the Viennese Lawyers’ Office BRAUNEIS, KLAUSER, PRÄNDL shows what legal importance certification acc. to ISO 27001 or ISO 20000 has. The Standards for Information Security and IT Service Management will highly contribute to minimizing risk wherever provision of contractually owned services depends on IT support and protection of information. These interrelations are relevant worldwide if jurisdiction uses recognized standards and regulations for expert opinions.

“If the duty to exercise due diligence is fulfilled, you will have a better hand in court proceedings.

Service provision to the state of the art in connection with a scale of due diligence is a “red-thread path” throughout economic law. Actions relating to legal compliance refer to both to the company as a legal entity and the managing organs, such as Managing Directors or CEO’s, the supervisory bodies and the employees. What is remarkable in this respect: Legal terms will ”live” and develop depending on the economic environment. What used to be regarded as due diligence some years ago, can be graded as being insufficient today. If the contractually agreed services are not provided due to a lack of due diligence, the company will be threatened with considerable damage claims on the part of the client.

“Once an ISO Standard is published, it will often be used as a scale for expert opinions before the court.”

What relationship to ISO Standards do you see in the IT sector?

To get to the heart of it: If it is regarded as being state of the art to apply standardized information security and IT service management in relevant areas, compliance with the corresponding ISO Standard will be reviewed in the event of damage. For ISO Standards are based on good practices that have been defined worldwide. As soon as an ISO Standard has been published, it will be very probable this standard will be used as a scale by court experts. An “ordinary” Managing Director will have to keep himself/herself informed according to general legal understanding. In the areas for which there are ISO Standards, general management will have to ensure the company is working at this level. The “scale of due diligence” can then be different depending on the services and risks.

What are the advantages yielded by certification for you as a lawyer?

On the one hand, the standards for ISO 27001 or ISO 20000 require top management to obtain knowledge of relevant standards and regulations and laws. On the other hand, it needs to be checked whether top management and the employees actually comply with these standards and regulations. This means the following: Once standards and regulations have been implemented, review of legal compliance conforming to the standard helps to draw a legal certainty netwithin the company. What is even more important: In the court proceedings, the outcome of the proceedings often depends on demonstrability of due diligencewhen providing services: due diligence must explicitly be demonstrated. For assessing cases involving IT or information security, experts will use ISO 27001 and ISO 20000 as a scale. Certifications will demonstrate quality because the Certification Body makes an independent review as to whether the employees are working according to established technical and legal basic conditions. By being refreshed by means of internal audits and re-certifications, the level will be kept or improved continually. This corresponds to the legal basis of due diligence.

“Occasionally it will make sense to integrate ISO Standards in contracts. This will increase safety and certainty for customers and minimize the contractor’s liability risk.”

If there is certification, is the company not at fault even if there are failures?

Let’s put it this way: ISO 27001 and ISO 20000 make it much easier to demonstrate due diligence

when providing services. If failures occur in spite of all safety precautions, the company is not at fault so that there principally is no liability for damages. In most cases handled by our Lawyers’ Office, we will,

for Service Agreements, recommend certified companies to incorporate the corresponding ISO Standard as a scale for service provision into the agreement. This will increase safety and certainty on both sides. The customers as well as clients will profit: Customers can be more certain they will obtain the service without failures. Clients will minimize their liability risk when providing their services and can demonstrate exercise of due diligence more easily.

What’s the effect of certification on liability of top management?

Still another advantage of ISO Certification will directly be yielded to top management, Managing Directors and Members of the Board. Example: Under certain conditions, the company can, in connection with events of damage, e.g. due to product liability, place claims on the company’s own top management if top management has failed to establish an internal control system and has caused certain damage. If the company is certified acc. to ISO, which implies important requirements relating to an internal control system, top management has fulfilled its relevant duty to exercise due diligence and will thus come off well.

What advantages do ISO Standards yield to an internal control system from a legal perspective?

Such rules as Sarbanes Oxley or the 8th EU Directive require an internal control system. In connection with product liability, an internal control system is not required explicitly but is becoming more and more important in practice. The requirement for an internal control system also includes risk management, documentation and controls making it possible to handle all the business transactions with the highest possible safety. Before this background, information security management systems (ISMS) or IT service management systems play a crucial role. The Certificate issued by such an accredited organization as CIS demonstrates an organization’s IT meets international standards. As the legally stipulated duty of documentationis automatically fulfilled if a management system is certified and thus demonstrably translated into action, the competent persons demonstrably fulfil their duty to exercise due diligence. Thanks to this, the risk of personal liability will be minimized.